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This Reply Brief is being filed within two (2) months of the mailing of the Examiner's Answer 
mailed on 01/05/2010. 



Following is an issue-by-issue reply to the Examiner's Answer. 



Issue . 



The Examiner has objected to the Specification as failing to provide proper antecedent basis for 
the claimed subject matter. 

Specific-ally, the Examiner has argued that "ffjhe phrase 'computer readable medium,' is not 
found to have proper antecedent basts in the specification" and that '"[ijn order to overcome the 
objection, an amendment to the specification is necessary constituting a non-exhaustive 
statement of what the phrase 'computer readable medium' would be as it would have been 
known... in order to verify that the term... could not be taken in the context of non-statutory 
subject matter." 

Appellant respectfully disagrees and notes that in Claim i , appellant specifically claims "[a] 
computer program product embodied on a tangible computer readable medium " (emphasis 
added), which is clearly statutory. Additionally, appellant respectfully directs the Examiner's 
attention to Page 11, lines 14-16 and 21-23 of appellant's specification, which discloses that 
"computer program instructions... may be stored in one or more of the rando . cess memory 
204, the read only memory 206 and the hard disk drive 21 0" and that a "computer program may 
be stored and distributed on a recording medium or dynamically downloaded to the general 
purpose computer 200"' (emphasis added), which are clearly examples of tangible computer 
readable mediums. Therefore, appellant's claimed "tangible computer readable medium" is 
clearly supported by the Specification, as claimed. 

Of course, it should be noted that the above citations are merely examples of the above claim 
language and should not be construed as limiting in any manner. 

In the Examiner's Answer mailed on 01/05/2010, on Page 4, the Examiner has not considered 
appellant's arguments "because the issue relates to petit ion able subject matter under 37 CFR 
1,181 and not to appealable subject matter," and has referred to MPEP § 1002 and § 1 20 1. 

Appellant respectfully disagrees and notes that MPEP §1002(a)(l) merely discloses that 
"[pjeiition may be taken to the Director... [fjrom any action or requirement of any examiner in 
the ex pane prosecution of an application... which is not subject to appeal to the Board of Patent 



Appeals and Interferences or to the court" (emphasis added), and MPEP §1002 generally 
discloses thai 'Ip jetitipns on appealable. matters ordinarily are not. entertained''' (emphasis added}. 
Additionally, appellant notes that MPEP §1201 discloses that "[wjhere the differences of opinion 
concern the denial of patent claims because of prior art or **>other patentability issues<, the 
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Therefore, the Examiner's objection to appellant's Specification with respect to appellant's claim 
languag e allegedly having improper antecedent basis constitutes a denial of one or more of 
appellant ' s patent claims because of a patent ihil h ssue, and as a result the appeal, process is 
appropriate. In view of appellant's arguments hereinabove, appellant again respectfully notes 
that appellant's claimed "tangible computer readable medium" is clearly supported by the 
Specification, as claimed. 

Issue 2: 

The Examiner has rejected Claims 1, 3-13, 15-18, 20-30, 32-35, 37-47, 49-52, and 55 under 35 
U.S.C. 1 J 2, first paragraph, as failing to comply with the enablement requirement. 

Group til: Claims I 5-/5, 15-18, 20-30, 52-55, 37-47, 49-52. and 55 

Specifically, the Examiner has argued that "[tjhe specification does not disclose how to detect, 
whether the modified set of rules decreases malicious network traffic or slows malware 
propagation" and that "it is unclear how modified rules in one particular system has any effect on 
the amount of malicious traffic or the amount of propagated malware." 

Appellant respectfully disagrees, first appellant's claimed "determining whether said modified 
set of rules decreases malicious network traffic'' and "determining whether said modified set of 
rules slows malware propagation" (see this or similar, but not necessarily identical language in 
the independent claims) is sufficiently enabled on Page 6, lines 4-12 of appellant's specification. 
For example, such excerpt discloses that "after a modified set is transmitted to other computers 
some network sensors detect the effect (e.g., decrease of traffic) and send a 'positive' signal 



back" (Page 6, lines 9-1 1), which clearly teaches how to detect whether the modified set of rules 
decreases malicious network traffic or slows malware propagation, as noted by the Examiner. 



In the Examiner's Answer mailed on 01/05/2010, on Page 4, the Examiner has referred to MPEP 
2164.01 and has cited numerous "factors to be considered when determining whether there is 
sufficient evidence to support a determination that a disclosure does not satisfy die enablement 
requirement and whether any necessary experimentation is 'undue'" from an unknown source. 
Additionally, on Page 5, the Examiner has argued the following: 



Therefore, the ski.Xl.ec3. artisan would need to perform undue experimentation 
to perform tha above menfcion«d determinations because the specification 
fails to provide even a hint of how the report is created o;: how the 
entire network'.? traffic it "lonxtored." 



Appellant respectfully disagrees. First, appellant respectfully notes That support for the 
disclosure in appellant's specification of "a report that modified mie(s) decrease the malicious 
network traffic or slowdown the malware propagation" (Page 6, lines 7-9) is clearly shown in the 
subsequent sentence of appellant's specification, where it is disclosed that "j ajs an examp le, after 
a modified set is transmitted to other computers some network sensors detect the effect (e.g. , 
decrease of traffic) and send a - positive' signal back " (Page 6, lines 9-1 1 ), where the '"positive' 
signal" is clearly an example of the aforementioned "report. " This is reinforced by the disclosure 
in the specification that "an external signal could be a report " (Page 6, line 7 - emphasis added). 

Therefore, since the specification clearly discloses an exemplary process of how the disclosed 
"report" may be generated fas a positive signal from a network sensor), a skilled artisan would 



not need to perform undue experimentation to determine how the report is created, as argued by 
the Examiner. Additionally, since the specification clearly illustrates an example where 
"network sensors detect the effect (e.g., decrease of traffic)" (Page 6, lines 9-1 1 - emphasis 
added), a skilled artisan would not need to perform undue experimentation to determine "how 
the entire network's traffic is monitored," as argued by the Examiner. 

Additionally, in the Examiner's Answer mailed on 01/05/2010, on Pages 5-6, the Examiner has 
cited In re Wornls and In re Angskuh and has further argued the following: 
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in fact clearly illustrate an exemplary procedure performed to create the report by disclosing that 
" network sensors detect the effect (e.g., decrease of traffic) and send a 'positive' signal back" 
(emphasis added), where the "positive" signal is clearly an example of a report, as shown 
hereinabove. Therefore, appellant asserts that the specification is not in fact "silent with respect 
to procedures performed to create the report/' as argued by the Examiner, and that as a result, a 
large quantity of experimentation is unnecessary to perform the claimed invention. 

Further, appellant notes that the Examiner lias in fact cited from Wands the assertion that "a 
considerable amount > j rj mat t is permi ibk if it is merely routine- or if the 
specification in question provides a reasonable amount of guidance with respect to the direction 
In which the experimentation should proceed" (emphasis added). However, since, as 
demonstrated by appellant hereinabove, a considerable amount of experimentation is not. 
ne cessary., in the present case , the question as to whether the considerable amount of 



experimentation is routine or whether the specification in question provides a reasonable amount 
of guidance wi th respect to the direction in which the experimentation should proceed is moot. 



Further still, in the Examiner's Answer mailed on 01/05/2010, on Page 6, the Examiner has cited 
In re Fisher and has further argued the following with respect to "[t]he level of predictability in 
the art" and "[tjhe amount of direction provided by the inventor": 



change within the subject rsatter to which the. claimed invention 
pertains . In the instant case, the tmpredict&ble factors in c lads the 
amount of malicious; trafiiio and the amount of rtalware propagation. It 
is unclear how the skilled artisan would measure a change in the total 
amount of malicious traffic for an entire network based upon a 
modi J: i cation of a set oil rules. Likewise, it is unclear how the 
skilled artisan would measure a change in malware propagation based 
upon a modification to these same rules." 

Appellant respectfully disagrees. Specifically, appellant again notes thai, as shown hereinabove, 
appellant's specification (specifically, the disclosure in the specification of an exemplary process 
of how the disclosed "report" may be generated and sent as a positive signal from a network 

sensot ) death pto\ ales nc i recti on as to "how to detect whether the modified set of 

rales decreases malicious network traffic or slows malware propagation," as noted by the 
Examiner. Therefore, the issue as to "whether one skilled in the art can readily anticipate the 
effect of a change within the subject matter to which the claimed invention pertains" is in fact 
moot. 

'Nevertheless, appellant notes thai it is in fact clear that a skilled artisan may "measure a change 
in the total amount of malicious traffic [and malware propagation] for an entire network based 
upon a modification of a set of rules" since, as mentioned hereinabove, appellant's specification 
clearly teaches that "after a modified set is transmitted to other computers some netw ork sensors 
s it effect (e.g decrease of traffic) and send a posjj gn id where the extej I 
>uh he a repot t that modified rule(-o dt ejhj rna ok >i 1 ti tj c c d 5 '< vn 



the...md^ie...gropagatimi " (Page 6, lines 7-11 - emphasis added). Therefore, appellant's 
disclosure of network ...sensors det^mg. an..efl^ of a modified rule set and se nding a signal 
back, where the signal can signify a decrease in the malicious network traffic or a slowdown the 
malware propagation , clearly illustrates "measuring] a change in the total amount of malicious 
traffic [and raalware propagation'] tor an entire network based upon a modification of a set of 
rules," as noted by the Examiner. 

Therefore, appellant again notes that the aforementioned excerpts from appellant's specification 
clearly teach how to detect whether the modified set of rules decreases malicious network traffic 
or slows malware propagation, as noted by the Examiner. 

Additionally, in response to the Examiner's allegation that "it is unclear how modified rules in 
one particular system has any effect on the amount of malicious traffic or the amount of 
propagated malware," appellant respectfully points to Page 3, lines 17-25 of appellant's 
specification, which discloses that "[a secondary set of jexternal program calls logged in 
association with the primary set of external program calls known to correspond to malicious 
computer program activity may themselves subsequently be used as an indicator for malicious 
computer program activity," where "[tjbe secondary sets of externa! program calls are 'tainted' 
by their association with the primary set of external program calls and the set of rules may be 
modified to be more sensitive to the secondary set of external program calls ,'" and where "the set 
of tides associated with malicious computer program activity may be extended and the detection 
madepotentially more sensitive, reliable and proactive " (emphasis added). 

Therefore, in one embodiment, the modified set of rules may be more sensitive to additional 
external program calls, and may therefore be extended, resulting in more sensitive, reliable, and 
proactive detection, which may in turn decrease malicious network traffic and slow malware 
propagation. 

In the Examiner's Answer mailed on 01/05/2010, on Page 7. the Examiner has argued the 
following: 

"Appellant's specification... discloses that the modification of the 
rules involves the modification of values assigned to each program call 



associated with the rules . when program code is monitored for 
v. - behavior, . <; by 

the monitored code. Each program call has a specified value assigned 

code exceeds a predetermined threshold, she rscni to red code is 

'Hie the 
raonitored code is actually malicious . Therefore, the modification of 
these roles does not affect, the acmes amoorn: of malicious traffic, or 
the actual aiaount of maiwaxe propagation, but instead merely modifies 
what the monitoring program considers to be malicious . " 



Appellant respectfully disagrees and again notes that appellant's specification teaches that "the 
set of rules associated with malicious computer program activity may be extended , ' resulting in 
"the detection [b,§iO£j,,,,mMg,J,9feBlkLj,Y more sensitive, reliable and proactive" (Page 3, lines 
23-25 - emphasis added). Additionally, appellant respectfully points to Page 2, lines 26-29 of 
appellant's specification, which discloses that "certain sequences of external program calls, or 
combinations of external program calls with certain characteristics, are indicative of malicious 
computer program activity and may be used to trigger anti- malware resp onses" (emphasis 
added). Further, appellant points to Page 2, lines 6-8 of appellant's specification, which 
discloses " detection of malici ous computer program activity ., using delected characteristics of 
stern program calls (einpha added) 

Therefore, appellant's specification discloses the detection of malicious activity as well as the 
triggering of aiui-roahvare responses in response to external program calls, where such detection 
and triggering clearly affects "the actual amount of malicious traffic, or the actual amount of 
na ... propagati< n. as noted by the Examiner, since the detecting of malicious activity and 
the tri ggering of and anti-malware response clearly result in a reduction of malicious traffic and 
malware propagation . Since such detection of malicious activity (and the resultant triggering of 
anti-malware responses) ma\ be "made potentially men. n in e, reliabk uk pi live" as a 
result of a modified set of rules associated with malicious computer program activity, such 
modified set of rules clearl> tffect: t] im t tt f ma I 1 tf ffic and malware propagation 



Again, with respect to the aforementioned excerpts from appellant's specification, it should he 
noted that the above citations are merely examples of the above claim language and should not 
be construed as limiting in any manner. 

issue # 3: 

The Examiner has rejected Claims I, 3-13, 15-18, 20-30, 32-35, 37-47, and 49-52 under 35 
U.S.C. 1 12, second paragraph, as failing to particularly point out and distinctly claim the subject 
matter which appellant regards as the invention. 

Group ft J: Claims 1, 3-13, 15-18, 20-30, 32-35, 37-47, and 49-52 

Specifically, the Examiner has argued that "(fjhe term 'more strongly associated' is not defined 
by the claim, the specification does not provide a standard for ascertaining the requisite degree, 
and one of ordinary skill in the art would not be reasonably apprised of the scope of the 
invention." 

Appellant respectfully disagrees. First, appellant respectfully notes that appellant specifically 
claims "modifying said set of rules such that said at least one secondary set of one or more 
external program calls are more strongly associated with malicious computer program activity 
than said primary set of said one or more externa! program calls" (emphasis added - see this or 
similar, but not necessarily identical language in the independent, claims). Therefore, appellant 
clearly claims that "said at least one secondary set ... [is] more strong l y associated with malicious 
computer program activity than said primary set " (emphasis added). 

Additionally, appellant respectfully points to Page 4, lines 29-32 of appellant's specification, 
where it is disclosed that "a particularly convenient way of modifying the rule set [to] make it 
more sensitive to the secondary sets of external program calls is to increase the score values 
associated with such secondary sets of external program calls" (emphasis added). Additionally, 
Page 9, lines 21-26 of appellant's specification discloses "the generation of plurality of new rules 
which sene to mi l iate i cond igts o( external program calls with 



malicious activity " where "[t]he secondary sets themselves may not be sufficient to trigger the 
atUi-maiware response, but ^MILJ^m^#^gi^llJj»ggjged such that when they occur in 
combination with other detected behavioural characteristics an anti-maiware response will now 
be triggered" (emphasis added). Therefore, in one embodiment, appellant's claimed "at least one 

s (. ndan et i 10 stern im ca i mi strong!; ociated k "i> . u 

computer program <ietn it) ' In it i ssociated with such secondary sets 

of externa! program calls" (emphasis added). 

As a result, appellant's aforementioned claim language clearly is particularly pointed out and 
distinctly claimed. Again, it should be noted that the above citations are merely examples of the 
above claim language and should not be construed, as limiting in any manner. 

in the Examiner's Answer mailed on 01/05/2010, on Page 8, the Examiner has argued the 
following: 

< iz of x les to ma > 

activity. The ••*••.: am reqsire that: the rules be modif ied such that, a 
secondary set of program calls are "more strongly associated' with 
malicious computer program activity than a primary set of program 

x>: ' that 

primary set of program calls is already associated with malicious 
activity when used to generate new/modified rules using secondary sets 
at program calls. Speei f. i cai Ly , (page 9, lines 23-29}... appears to 
suggest chat the rales are modified such thar the secondary set of 
program calls is associated with malicious activity to the same extent 
that the primary set of program calls is associated with malicious 
activity . There fore, - specification does not; clearly define bow the 
modified rules that include the secondary set of program calls is "more 
strongly associated' to malicious activity than the primary set of 
program calls." 

Appellant respectfully disagrees. First, appellant points to Page 4, lines 22-26 of appellant's 
specification, which discloses that "fa] particularly convenient way of structuring this rule set is 
to uv_ so i \) s j^ociated with certain tht i rsj - oj coml in uons of characteristics of 



e^emal..pl^ram.ca|]s " where "[i]n this way, a lo gg^.Mream.may.fae.aiml^M and when the 
toMtsgom .value associated with that logged stream exceeds,a,threshoJd,^ an anti-roalware 
response may be triggered 1 ' (emphasis added). Additionally, as mentioned hereinabove, 
appellant's specification further discloses that one way of modifying a rule set to be more 
sensitive to secondary sets of program calls is to incioaso the score ^ aluc^ associated with the 
secondary sets of program calls. 

Iheiefoie since appellant's specification clearly disclose con yes hat i 1 - a iciated with 
characteristics of external program calls and which are used to trigger anti-malware responses 
once the score values exceed a thresho id value, and discloses that increasing the score values 
associated with secondary sets of program calls of a rule set results in those secondary sets 
having higher score values that are closer to the triggering threshold valne . and are therefore 
"more strongly associated with malicious computer program activity" (emphasis added). As 
such, appellant's specification does in fact "clearly define how the modified rules that include 
the secondary set of program calls is 'more strongly associated" to malicious activity than the 
primary set of program calls " as noted by the Examiner, 

Further, as shown hereinabove, appellant's claimed "score values' 5 clearly "provide a standard 
for measuring] the association of the claimed set of rules to malicious computer program 
activity," as noted by the Examiner. Additionally, "increasin g] the score values associated 
with... secondary sets of external program calls" in order to " more strong l y associatf e ] [the 
secondary sets of external program calls] with malicious computer program activity" does not 
"suggest that the rules are modified such that the secondary set of program calls is associated 
with malicious activity to the same extent that the primary set of program calls is associated with 
malicious activity" {emphasis added) as alleged by the Examiner. 

As such, appellant again notes that appellant's aforementioned claim language clearly is 
particularly pointed out in the specification and is distinctly claimed. Again, it should be noted 
that the above citations are merely examples of the above claim language and should not be 
construed as limiting in any manner. 



Also, appellant's c laimed "modifying said set of rules such that said at least one secondary set of 
one or more external program calls are more strongly associated with malicious computer 
program activity than said primary set of said one or more external program calls" (see this or 
similar, but not necessarily identical language in the independent claims) is purposefully drafted 
in a. broad manner, and it would be unduly limiting for the Examiner to require appellant: to 
specifically "provide a standard for ascertaining the requisite degree," as argued by the 
Examiner. 

Additionally, the Examiner has argued that "it is unclear how modifying 'said set of rides' has 
any effect on a set of program calls that has already been logged, or the amount of malicious 
network traffic and raalware propagation." 

Appellant respectfully disagrees. First, appellant respectfully asserts that appellant's claims do 
not necessarily recite that a modified set of rides has an effect on a set of program calls that has 
already been logged, as suggested by the Examiner. For example, appellant claims "modifying 
code operable to modify said set of rules such thai said at least one secondary set of one or more 
external program calls are more strongly associated with malicious computer program activity 
than said primary set of said one or more external program calls. . .wherein said set of rules is 
modified to include a new rule corresponding to said secondary set of one or more external 
program calls, said new rule thereafter being used in addition to other rules within said set of 
rules" (see this or similar, but not necessarily identical language in the independent claims). 

Second, appellant points to Page 8, lines 8-11 and 17-21, which disclose one exemplary 
embodiment in which "checking is performed... which includes within its functionality the 
logging of a stream of external program calls, the identification of a primary set of p ro gram 
instruction calls found to match a rule or set of rules within the rules 10 and corresponding to 
malicious computer program, activity;' where "results associated with a particular external 
program call may also be examined and form part of the rule comparisons performed... in 
determining whether a particular external program call or set of external program calls matches 
one of the u > ying i iou '< -p irer progiam act^ i a sis added) 



Therefore, in one embodiment, results associated with an externa! program call may form part of 
rule comparisons that are performed for purposes of identifying malicious computer program 
activity. Thus, as shown hereinabove* appellant's aforementioned claim language clearly is 
particularly pointed out and distinctly claimed. Also, it should again be noted that the above 
citations are merely examples of the above claim language and should not be construed as 
limiting in any manner. 

In the Examiner's Answer mailed on 01/05/2010, the Examiner has failed to respond to 
appellant's above arguments. Again, appellant notes that appellant's aforementioned claim 
language clearly is particularly pointed out in the specification and is distinctly claimed. 

In view of the remarks set forth hereinabove, all of the independent claims are deemed 
allowable, along with any claims depending therefrom. 



In the event a telephone conversation would expedite the prosecution of this application, the 
Examiner may reach the undersigned at (408) 971-2573. For payment of any additional fees due 
in connection with the filing of this paper, the Commissioner is authorized to charge such fees to 
Deposit Account No. 50- J 351 (Order No. NAI1P489). 



Respectful iy submitted, 



By: /KEV1NZILKA/ Date: March 5. 2010 

Kevin J. /ilka 
Reg. No. 41,429 

Zilka-Kotab, P.C 

P.O. Box 72 1 120 

San Jose, California 95 172-1 120 

Telephone: (408)971-2573 

Facsimile: (408)971-4660 



